Security Headers Generator
Pick the headers you want, copy the exact config for your server. The fix-side companion to the headers checker.
Runs entirely in your browser — nothing is transmitted anywhere.
1 · Choose headers
2 · Pick your platform
How it works
The generator emits the same recommended values our checker
grades as a pass: a one-year HSTS with includeSubDomains, a strict starter CSP with no
unsafe-inline, nosniff, dual frame protection, a privacy-preserving referrer
policy, and a lock-it-down Permissions-Policy. Everything is generated locally from fixed templates —
scoring detail on the methodology page.
FAQ
Will these headers break my site?
Most are safe to add as-is: HSTS (if you're fully on HTTPS), nosniff, frame protection,
and Referrer-Policy rarely break anything. CSP is the exception — the starter policy here blocks inline
scripts and third-party sources, so test it in report-only mode first and extend it for what your site
actually loads.
Why does the starter CSP not include unsafe-inline?
Because unsafe-inline defeats most of CSP's XSS protection — our own checker downgrades
any policy that allows it. Move inline scripts to external files, or use nonces or hashes, instead of
allowing everything inline.
Do I still need X-Frame-Options if CSP has frame-ancestors?
frame-ancestors supersedes X-Frame-Options in every modern browser, but
keeping both costs nothing and covers legacy user agents — the generator emits both by default.